Description

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.

INFO

Published Date :

2026-04-22T16:07:31.316Z

Last Modified :

2026-04-24T03:55:21.897Z

Source :

canonical
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35338 vulnerability.

Vendors Products
Uutils
  • Coreutils
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35338.

URL Resource
https://github.com/uutils/coreutils/pull/10033 cve-icon cve-icon
https://github.com/uutils/coreutils/releases/tag/0.6.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact